Used to validate login session cookies. Genearte one with `openssl rand -base64 33`.
| | `AUTH_SESSION_MAX_AGE_SECONDS` | `2592000` (30 days) |Relative time from now in seconds when to expire the session.
| | `AUTH_SESSION_UPDATE_AGE_SECONDS` | `86400` (1 day) |How often the session should be updated in seconds. If set to `0`, session is updated every time.
| | `OAUTH_AUTHORIZATION_CODE_TTL_SECONDS` | `600` (10 minutes) |Lifetime of an OAuth authorization code, in seconds.
| | `OAUTH_ACCESS_TOKEN_TTL_SECONDS` | `3600` (1 hour) |Lifetime of an OAuth access token, in seconds.
| | `OAUTH_REFRESH_TOKEN_TTL_SECONDS` | `7776000` (90 days) |Lifetime of an OAuth refresh token, in seconds.
| | `AUTH_URL` | - |URL of your Sourcebot deployment, e.g., `https://example.com` or `http://localhost:3000`.
| | `CONFIG_PATH` | `-` |The container relative path to the declarative configuration file. See [this doc](/docs/configuration/declarative-config) for more info.
| | `DATA_CACHE_DIR` | `$DATA_DIR/.sourcebot` |The root data directory in which all data written to disk by Sourcebot will be located.
| | `DATA_DIR` | `/data` |The directory within the container to store all persistent data. Typically, this directory will be volume mapped such that data is persisted across container restarts (e.g., `docker run -v $(pwd):/data`)
| | `DATABASE_URL` **(required)** | - |Connection string of your Postgres database, e.g. `postgresql://user:password@host:5432/sourcebot`.
If you'd like to use a non-default schema, you can provide it as a parameter in the database url.
You can also use `DATABASE_HOST`, `DATABASE_USERNAME`, `DATABASE_PASSWORD`, `DATABASE_NAME`, and `DATABASE_ARGS` to construct the database url.
| | `EMAIL_FROM_ADDRESS` | `-` |The email address that transactional emails will be sent from. See [this doc](/docs/configuration/transactional-emails) for more info.
| | `REDIS_URL` **(required)** | - |Connection string of your Redis instance, e.g. `redis://host:6379`.
To enable TLS, see [this doc](/docs/deployment/infrastructure/redis#tls).
| | `REDIS_REMOVE_ON_COMPLETE` | `0` |Controls how many completed jobs are allowed to remain in Redis queues
| | `REDIS_REMOVE_ON_FAIL` | `100` |Controls how many failed jobs are allowed to remain in Redis queues
| | `REPO_SYNC_RETRY_BASE_SLEEP_SECONDS` | `60` |The base sleep duration (in seconds) for exponential backoff when retrying repository sync operations that fail
| | `GITLAB_CLIENT_QUERY_TIMEOUT_SECONDS` | `600` |The timeout duration (in seconds) for GitLab client queries
| | `SMTP_CONNECTION_URL` | `-` |The url to the SMTP service used for sending transactional emails. See [this doc](/docs/configuration/transactional-emails) for more info.
You can also use `SMTP_HOST`, `SMTP_PORT`, `SMTP_USERNAME`, and `SMTP_PASSWORD` to construct the SMTP connection url.
| | `SMTP_HOST` | `-` |The hostname of the SMTP server. Used to construct `SMTP_CONNECTION_URL` when individual SMTP variables are provided.
| | `SMTP_PORT` | `-` |The port of the SMTP server.
| | `SMTP_USERNAME` | `-` |The username for SMTP authentication.
| | `SMTP_PASSWORD` | `-` |The password for SMTP authentication.
| | `SOURCEBOT_ENCRYPTION_KEY` **(required)** | - |Used to encrypt connection secrets and generate API keys. Generate one with `openssl rand -base64 24`.
| | `SOURCEBOT_PUBLIC_KEY_PATH` | `/app/public.pem` |Sourcebot's public key that's used to verify encrypted license key signatures.
| | `SOURCEBOT_LOG_LEVEL` | `info` |The Sourcebot logging level. Valid values are `debug`, `info`, `warn`, `error`, in order of severity.
| | `SOURCEBOT_STRUCTURED_LOGGING_ENABLED` | `false` |Enables/disable structured JSON logging. See [this doc](/docs/configuration/structured-logging) for more info.
| | `SOURCEBOT_STRUCTURED_LOGGING_FILE` | - |Optional file to log to if structured logging is enabled
| | `SOURCEBOT_TELEMETRY_DISABLED` | `false` |Enables/disables telemetry collection in Sourcebot. See [this doc](/docs/misc/telemetry) for more info.
| | `DEFAULT_MAX_MATCH_COUNT` | `10000` |The default maximum number of search results to return when using search in the web app.
| | `ALWAYS_INDEX_FILE_PATTERNS` | - |A comma separated list of glob patterns matching file paths that should always be indexed, regardless of size or number of trigrams.
| | `NODE_USE_ENV_PROXY` | `0` |Enables Node.js to automatically use `HTTP_PROXY`, `HTTPS_PROXY`, and `NO_PROXY` environment variables for network requests. Set to `1` to enable or `0` to disable. See [this doc](https://nodejs.org/en/learn/http/enterprise-network-configuration) for more info.
| | `HTTP_PROXY` | - |HTTP proxy URL for routing non-SSL requests through a proxy server (e.g., `http://proxy.company.com:8080`). Requires `NODE_USE_ENV_PROXY=1`.
| | `HTTPS_PROXY` | - |HTTPS proxy URL for routing SSL requests through a proxy server (e.g., `http://proxy.company.com:8080`). Requires `NODE_USE_ENV_PROXY=1`.
| | `NO_PROXY` | - |Comma-separated list of hostnames or domains that should bypass the proxy (e.g., `localhost,127.0.0.1,.internal.domain`). Requires `NODE_USE_ENV_PROXY=1`.
| | `SOURCEBOT_EE_AUDIT_LOGGING_ENABLED` | `true` |Enables/disables audit logging
| | `SOURCEBOT_EE_AUDIT_RETENTION_DAYS` | `180` |The number of days to retain audit logs. Audit log records older than this will be automatically pruned daily. Set to `0` to disable pruning and retain logs indefinitely.
| | `AUTH_EE_GCP_IAP_ENABLED` | `false` |When enabled, allows Sourcebot to automatically register/login from a successful GCP IAP redirect
| | `AUTH_EE_GCP_IAP_AUDIENCE` | - |The GCP IAP audience to use when verifying JWT tokens. Must be set to enable GCP IAP JIT provisioning
| | `PERMISSION_SYNC_ENABLED` | `false` |Enables [permission syncing](/docs/features/permission-syncing).
| | `PERMISSION_SYNC_REPO_DRIVEN_ENABLED` | `true` |Enables/disables [repo-driven permission syncing](/docs/features/permission-syncing#how-it-works). Only applies when `PERMISSION_SYNC_ENABLED` is `true`.
| | `AUTH_EE_ALLOW_EMAIL_ACCOUNT_LINKING` | `true` |When enabled, different SSO accounts with the same email address will automatically be linked.
| | `DISABLE_API_KEY_CREATION_FOR_NON_OWNER_USERS` | `false` |When enabled, only organization owners can create API keys. Non-owner members will receive a `403` error if they attempt to create one.
| | `DISABLE_API_KEY_USAGE_FOR_NON_OWNER_USERS` | `false` |When enabled, only organization owners can create or use API keys. Non-owner members will receive a `403` error if they attempt to create or authenticate with an API key. If you only want to restrict creation (not usage), use `DISABLE_API_KEY_CREATION_FOR_NON_OWNER_USERS` instead.
| ### Review Agent Environment Variables | Variable | Default | Description | | :----------------------------------------- | :------- | :------------------------------------------------------------------------------------------------------ | | `GITHUB_REVIEW_AGENT_APP_ID` | `-` |The GitHub App ID used for review agent authentication.
| | `GITHUB_REVIEW_AGENT_APP_PRIVATE_KEY_PATH` | `-` |The container relative path to the private key file for the GitHub App used by the review agent.
| | `GITHUB_REVIEW_AGENT_APP_WEBHOOK_SECRET` | `-` |The webhook secret for the GitHub App used by the review agent.
| | `OPENAI_API_KEY` | `-` |The OpenAI API key used by the review agent.
| | `REVIEW_AGENT_API_KEY` | `-` |The Sourcebot API key used by the review agent.
| | `REVIEW_AGENT_AUTO_REVIEW_ENABLED` | `false` |Enables/disables automatic code reviews by the review agent.
| | `REVIEW_AGENT_LOGGING_ENABLED` | `true` |Enables/disables logging for the review agent. Logs are saved in `DATA_CACHE_DIR/review-agent`
| | `REVIEW_AGENT_REVIEW_COMMAND` | `review` |The command used to trigger a code review by the review agent.
| ### Overriding environment variables from the config You can override environment variables from the config file by using the `environmentOverrides` property. See [this doc](/docs/configuration/config-file#overriding-environment-variables-from-the-config) for more info.